« Honey, I caught a worm: Building yourself a honeypot, some practical issues | Main | The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks »
Worm Meets Beehive
I like this paper because it not only demonstrates a method, but it analyses the effectiveness of such a proposal. Study this one closely, the methods and findings are very interesting.
Internet worms continue to plague the Internet infrastructure with wider and deeper impact since the Morris Worm in early 1988. It has been further shown that better-engineered worms like Warhol worms and Flash worms could spread across the Internet in minutes or even tens of seconds rather than hours. Such virulent spreading invalidates any manual counter-measures and poses an extremely serious threat to the safety of the Internet.
To address this challenge, this paper proposes a novel worm-curtailing scheme, i.e., beehive, which is able to fightback worm propagation by actively immunizing any encountered worm-infected node. More specifically, by owning a portion of the unused but routable IP space that is open to infection attempts of different worms, a beehive not only attracts and traps these attempts, but also defensively gives a security shot to each attempting worm-infected node. The security shot will immunize the infected node so that the node will not be able to infect others. Our formal analysis shows that even one beehive network with a reasonable IP address space can effectively mitigate active spreading of worms among a million nodes. This paper presents both analysis and simulation results of beehive evaluation. Particularly, our results show that for a random-probing worm, a beehive network or 8 class B networks are able to reduce the maximum worm infection coverage to as low as 13%. To the best of our knowledge, no such worm fightback mechanism has been proposed and analyzed before. Finally, a beehive prototype is presented to demonstrate its practicality.
Source: Worm Meets Beehive, Xuxian Jiang, Dongyan Xu, Shan Lei, Paul Ruth and Jianzhong Sun.
April 6, 2005 in honeypots, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
Intrinsic Security has been quietly developing and marketing a system based on our own intrusion suppression technology since the fourth quarter of 2003 (since before we settled on a name, in fact -- good domain names are hard to find). Our intrusion suppression technology employs some honeypot concepts.
If I may be so bold, let me say that I'm happy to see that this research appears to confirm some of our experience.
: )
We were surprised to discover how effective a small number of antiworm intrusion suppression sensors could be on a large network.
At our first customer site (a confidential government client) we deployed an early version of the product in October of 2003. With fewer than 20 sensors, each monitoring roughly a Class C sized network, we were able to demonstrate surprising suppression of worm outbreaks on a network larger than 8 Class B address blocks. Better coverage provides better suppression, as you would expect.
We have recently de-cloacked and begun public marketing of our FireBreak AntiWorm http://intrinsicsecurity.com/ system.
Posted by: Gary W. Longsine | May 25, 2005 8:32:46 PM
The comments to this entry are closed.
